[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More







A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

Share tech news, updates, or what's on your mind.

Sign up to Post

A customer is deploying a cellular Internet solution that will provide site-to-site VPN services from remote locations back to a single central location. The cellular network will be deploying sites using dynamic IP addresses vs. fixed IP's.

This dynamic IP VPN solution can easily be handled by either Meraki or Cisco Easy VPN, whereby the clients connect to a fixed/predictable head-end device, and negotiation figures everything else out. This assumes that the head-end device is at the network edge, vs. on a DMZ segment behind another firewall layer. The problem (I believe), is that the recommended design for a VPN head-end would be behind an edge firewall. If so, then traffic from the VPN endpoints with dynamically assigned IP addresses would have to be permitted through this layer, and how would (or could) that be handled?

I think the basic questions would be:

  • Are Internet carriers that provision sites with dynamic IP addresses able to provide ranges which could be configured on edge firewalls to permit traffic sources? (Obviously, the ACL entries would also include the destination IP of the VPN firewall and be restricted to IPsec traffic.)
  • If the above isn't possible, how is this design/deployment handled?

I'm basically trying to determine if we can handle the above design (dynamic IP VPN clients connecting to a head-end beyond another firewall layer), or would this require the clients to have fixed IP's?

Thank you
Discover the Answer to Productive IT
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

how I can make the same user on OpenVPN make a two sessions not more ?
I tried:
duplicate-cn  2 

Open in new window

but I see that the same user can make 3 connection !
Hello Experts,

I am not a Microsoft person but due to work situation I get involved in Microsoft connectivity issues. We have RDS site and we publish applications in the site . Users are given VPN access to the company site some users use their own laptops - non domain and some are in the domain. users connect to the company network via vpn and access the RDS site and can click on the icons that represent the application and it will launch a remoteapp for them.

I have two users with windows 10 , they connect  to the vpn and can login to the RDS site but when they launch the Remoteapp application  they get weird message but I tried from my personal laptop which is windows 7 and login as them and I was able to launch the applications with no issues. I wonder why is that.

The error message they get is Starting your app --> initiating remote connection , and a window pops up that shows
RemoteApp disconnected with red X
Remote desktop can't connect to the remote computer "xxxxx.domain.com" for one of the reasons:

1. your user account is not authorized to access the RD Gateway " xxxx.domain.com"
2. Your computer is not authorized to access the RD Gateway"xxxx.domain.com"
3. You are using an incompatible authentication method (for example, the RD Gateway might be expecting a smart card but you provided a password)

This error message does not show up when I use the windows 7 laptop. Does anyone know what is the problem and how to make this work for these users.…
Server 2012 Standard
Windows VPN
The VPN is set up and working. The issue is that I do not seem to be able to find where to get it to use a static local IP instead of a DHCP address.
Hence, every time the server reboots it grabs a different one.
I have a remote user overseas that maps a drive by IP.

Is someone would be kind enough to point me to the setting, I would be thankful.

I am trying to implement a VPN using my Netgear Nighthawk.  The client is OpenVPN and the configuration files are downloaded from the router, this includes the client certificate which seems to be the problem.  When I try to connect I get the following error in the log

Tue Nov 13 13:46:04 2018 Certificate does not have key usage extension
Tue Nov 13 13:46:04 2018 VERIFY KU ERROR
Tue Nov 13 13:46:04 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Tue Nov 13 13:46:04 2018 TLS_ERROR: BIO read tls_read_plaintext error
Tue Nov 13 13:46:04 2018 TLS Error: TLS object -> incoming plaintext read error
Tue Nov 13 13:46:04 2018 TLS Error: TLS handshake failed

Looking around on the internet I don't find a clear explanation on how to correct the problem.

The client is loaded on Win 10 Pro, I don't know what else you might need to help me, let me know and I will try to get the info.
Trying to VPN out from a server (Windows 2012) but getting a 720 error - this used to work but not sure what changed.  

The VPN connection is one we setup using the built-in VPN connection under network and sharing center...We have a few users that remote into it and then VPN out to customer sites (they have MAC's and we use a piece of software called RADMIN to remotely connect to the customer PC's).  There isn't a RADMIN compatible client for a MAC.  So they Remote Desktop into the server and then VPN out / connect to remote PC using RADMIN.
I set a group policy to allow remote desktop only from inside the network.

I set up some users to establish a VPN connection to the server’s VPN, with windows VPN service.

Will they be able to remote into their computer with remote desktop, once they establish a VPN connection, will they be considered as part from the network so the group policy will allow them to remote to their computer?

Server 2012
Working to establish IPsec Site-to-Site VPN, the local network is 192.168.0.x behind a Cisco RV130W and far end has a Cisco NSA 2600 and also has a pre-existing VPN with the 192.168.0.x subnet. The tunnel needs to support a single host on each end.

Is it possible to assign a 2nd IP Address to the PC in my network, say, and use this for the VPN?
I have a user that connects to the office network (2012 AD Domain) from a Surface Book running Windows 10 PRO (machine is a domain member) using SonicWall VPN client programs, I tired both GVC and SSL VPN to resolve this issue.

The issue is her mapped drive to the file server does not connect all the time.  If she waits long enough it eventually connects.  

Sometimes rebooting the Surface Book fixes it, sometimes not.  

Her other mapped drives work fine and connect without issue.  All sharing and security is the same for the network shares.

When the drive is mapped like this: \\server-name\share-name it does not connect or takes a while to connect.

When the drive is mapped like this \\server-ip-address\share-name  it connects without issue.

I'm ok with using the IP address in the mapping path, but was wondering what might be the cause since I have 10+ other users who do not have the issue, some of whom have identical Surface books.

Is this a NetBIOS issue?  Is it possible her home router is not resolving NetBIOS names to IP addresses?  It works fine when she is on the office Wi-Fi which  uses a different  IP scheme than the network LAN.

Any help is appreciated.

I have a Netgear X10 R9000 Nighthawk router on one end and a XyWall firewall device on the other end and I've been asked to set up a hardware VPN connection between the two.

Looking at the Nighthawk, it doesn't look doable as the Netgear device requires me to download a client to install on a device.  

I'd like to set up a router to router VPN so no client is needed and my thinking is I need like devices on each end.  I can buy another Xywall and replace the Nighthawk if need be.

Thoughts on this?  I'm not familiar with the Xywall but it's got a GUI and I work in SonicWall, Netgear, Cisco, etc devices all the time and do this, so I'm thinking I can figure out the Xywall.

Anyway, thoughts on making this happen?  Device to device VPN between the Netgear r9000 and the Xywall?


How the Cloud Can Help You as an MSSP
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!


I want to use SSL certificate for VPN SSL or web management access, to my Fortigate 200D (version 5.6.3).
A SSL Domain certificate trusted bought to a CA, appears to been correctly uploaded in my Fortinet Firewall but is not shown in the menus such VPN/SSL-VPN Setting or in System/Settings/Administration Settings (Web UI). If I use the command line, that's the same problem. Certifcates are in the vpn list.
show vpn certificate local
get vpn certificate local details
But I can not select my domain certificate (by example, with "config vpn ssl settings" and "set servercert ....").

How did I proceed?
After generating and sending the CSR to the CA, I get instructions to create  two .csr files. I have uploaded the first (for the domain) as local certificate  (status was change from pending to OK), uploaded too the intermediate certificate of the CA. There are both in the certificate list. That looks fine, status is ok. But, there are not in the menus, when I want to select the domain certificate.
I've followed the official documentation
Other source
NB: sslsupportdesk is not my CA (Mine is a well known one).

The only thing, that's the documentation does not mention the password for the private key (certainly a bit too old). I have tried witch a 4096 bits …
So we currently have a Cisco ASA 5512-X, v9.2.

We are currently on split tunnel for VPN, however, we want to move away from split tunnel as it causes routing issues for us to AWS.

Is there a good way for me to build out another VPN interface and apply new profiles/rules to test?
Hi All,

I'm trying to setup a VPN for Windows 2016 R2.

My current network setup is
192.168.0.x  (x between 0 and 3)

My current DHCP pool is 192.168.2.X

The 192.168.3.X was reserved (from a logical standpoint) for the VPN.

How do I go about making the 192.168.3.X actual in my DHCP pool or Configuring the VPN with a static pool?

Side note:
I have tried using the static pool but when I pull the IP address from the VPN I get a subnet of and can't ping any devices on the network.  Trying to get the subnet to be .252.

Also please note that this connection will be for mobile phones  / tablets, so not sure if adding routes to clients is an option.

Please advise.
I'am activating 2Steps verification on my firewall for my users vpn access and it needs to email my users the code. For this I need to allow my to send email to my exchange 2016 this is relay to external and in Exchange 2003 i would have set that up in 5 seconds... but not in 2016...
I found a couple of "how-to's" which says parts of the work need to be done in command line and the other part in the web console (what a pain...) but my main unknown is that some says it has to be applied on the "receive connector" and others says it is the "send connector"..
"send" https://www.youtube.com/watch?v=rMjHcN7jM_A

Some of the email are destined to my exchange own users mailbox but a few will go external at some gmails and others...

thanks for the info... I really don't want to open relay external to all ;)
Hi guys

We have an application on our work premises that people externally use VPN to access. The port has been set to 'ANY'. However, if I wanted to lock this port down, I have some issues as there is no documentation on what the ports are. When I look at the firewall logs, I can see that the source port always changes but the destination port stays the same. What does this mean if the source port changes but the destination port is the same? I assume the destination port is the port on the application on our side and therefore we can lock the VPN ports down to this destination port?

Thanks for helping
Morning, I am trying to setup a Windows 2016 VPN via LT2P but keep getting the below error.
Anyone know what I can do to fix it?

During main mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
Local Network Address:
Remote Network Address:
Keying Module Name:      IKEv1

We have a user who is considering to purchasing Phantom VPN from AVIRA for accessing his shows when visiting other countries (which will not permit to access outside the US for example his 2 favorite Hulu and Netflex).  He also said that he wanted anonymity as to the site visiting so it won't know his real IP.

The above said even though there may be option not to show your real location using VPN, the info can be accessed or requested to the VPN provider, as in here Avira?

Appreciate you opinions on the subject,

I have two users set up in Actitive directory , user-a is in Group A and user-b is in group A and Group B

In the ASA LDAP mappings I have,

"User group A" mapped to "End user VPN profile" and "group B" mapped to "Admin user VPN profile".

However if either User A or B logs in they both get the end user profile. Is there any way to prioritise the profile assigment so that "user b " gets the admin profile and "User a" gets the end user one?

I feel like this should be possible or does each user need to be in a unique group? In the debug I can see the member of groups are being returned correctly, and I have copied and pasted from there to and the policy names to insure there are no miss types

I was told we are joining a new company who has the same IP scheme as our present company.  How do we resolve this issue with the least amount of time?  Can you provide some documentation as to the process, maybe videos from youtube or some where?  I believe they are in a data center environment and was told they are the same IPs, but some how we need to connect them together with the same IP scheme?
Build an E-Commerce Site with Angular 5
LVL 12
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

I'm troubleshooting a VPN connection using checkpoint.  I keep getting dropped out from time to time.  Here are the logs from the checkpoint firewall
[28 Oct 7:13:54] IKE tunnel disconnected, error code=-1000. Reason: Site is not responding.
[28 Oct 7:13:54] Client state is connected
[28 Oct 7:13:54] Tunnel (2) disconnected. State is connected. Trying to reconnect.
[28 Oct 7:14:22] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:14:22] Client state is reconnecting
[28 Oct 7:14:22] Reconnect failed. trying again (2)
[28 Oct 7:15:20] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:15:20] Client state is reconnecting
[28 Oct 7:15:20] Reconnect failed. trying again (2)
[28 Oct 7:16:05] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:16:05] Client state is reconnecting
[28 Oct 7:16:05] Reconnect failed. trying again (2)
[28 Oct 7:16:23] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:16:23] Client state is reconnecting
[28 Oct 7:16:23] Reconnect failed. trying again (2)
[28 Oct 7:17:02] IKE connection failed, error code=-1000. Reason: Site is not responding.
[28 Oct 7:17:02] Client state is reconnecting
[28 Oct 7:17:02] Reconnect failed. trying again (2)

Open in new window

Can someone get me started on the troubleshooting?  What is happening and how can I fix?
I have a laptop with Windows 7 joined to a domain (Server 2012).   Often times (but not always) when it's off the corporate network and the user connects to the network via a sonicwall vpn and then attempts a RDP connection with their desktop on site (also Win 7) they get the message "There are currently no logon servers available to service the logon request".

I found a work around, and that is to login to the remote machine as the local domain administrator and then trying to login again as the regular user - it lets them right on.  I dont even have to let the admin login completely - usually get the warning that another users is connected and will lose their work appears and even clicking cancel and then trying the regular user - still lets them on.

For obvious reasons, I'd love to figure out and resolve rather than having to login as the admin prior to the user logging in.
I have one RV016 Cisco router.  I´m configuring VPN. I created the user and export the client certificate.
On my notebook I installed QuickVPN client and copy client certificade on his folder.
But i´m not conneting, I´ve got warning : Server´s certificate doesn´t exists on your computer..... Even if I continue I got another error : Connection failure.
What I´m doing wrong ?
We are using the Windows version of STunnel from https://www.stunnel.org/downloads.html.
The server install generated a certificate stunnel.pem.

We tried using it for the client with a configuration from below but it did not work.

cert = stunnel.pem
key = stunnel.pem
CAfile = <cername>.pem
CRLfile = <something here?>
sslVersion = TLSv1.2
1. Could you provide some step-by-step instructions on how to configure the Windows client to use the certificate?
We did configure TLSv1.2 on it.

2. What is the easiest way to test that STunnel is working?

3. If we would like to generate a more secure certificate from the server, how do we do it?
The STunnel documentation does not recommend using the default certificate.

We have a new 2nd building on property we own.  someone got verizon fios at the 2nd building (it was already in the 1st building).  They are about 1,200 feet apart with line of sight.

We need the 2nd building to be able to access the network in the first building (and minimize costs).   the 2nd building will have 1 -2  users and MAYBE some file transfers between the 2 buildings, but mostly email, web surfing

I'm trying to see the costs for connecting the 2nd building to our existing network / do we need fios at that 2nd building

Some options I thought of?

1) Setup a VPN - we have a watchguard at building 1 already and that has a VPN to another office in another state.  So add a Watchguard unit for $500? at building 2 and some config time / costs.  and still have the fios ongoing costs.  Anyone know the throughput of a vpn using Verizon fios at both ends?  it's lower than the speed you are paying for from verizon, right?

2) wireless? Maybe Unifi Nanobeam 5AC gen 2  


$113 each and we need 2 of them, plus time / moneh for hardware, mounting poles, etc. That  Would get 400Mbit which is fine (mostly email / web surfing etc at the far end).  But What if we want gigabit on wireless?  Is that doable at a reasonable cost? And can cancel the FIOS

3)  Fiber? I called Lanshack.com and they are saying the fiber cable would need to be outdoor rated (regardless of being …
I am traveling to China for a couple weeks and I would like to use a VPN to bypass the "Great Firewall of China". Is there a free VPN I could use while I am traveling around? Bandwidth is not a huge issue I mostly would like to check my gmail etc., I am using an iPhone SE.






A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.